RESOLVED FIXED291997
For-In can return duplicate keys in JSC 
https://bugs.webkit.org/show_bug.cgi?id=291997
Summary For-In can return duplicate keys in JSC
EntryHi
Reported 2025-04-23 22:15:08 PDT
Hello, I found a bug in JavaScriptCore. JSC version: c612e507973fe45e1c71c1893376818803781495 poc.js ``` function getKey(x) { var arr = []; for (var i in x) { arr.push(i); } return arr; } function opt() { var x = new String("abc"); function B() { this.bar = 5; this[0] = 4; } B.prototype = x; var y = new B(); var elements = getKey(y); print(elements); } opt(); opt(); opt(); ``` Run args: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1 Result in JSC: 0,bar,0,1,2 0,bar,0,1,2 0,bar,1,2 Result in V8: bar,0,1,2 bar,0,1,2 bar,0,1,2
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-04-30 22:16:15 PDT
<rdar://problem/150420842>
Yijia Huang
Comment 2 2025-05-22 22:57:56 PDT
Pull request: https://github.com/WebKit/WebKit/pull/45818
Yijia Huang
Comment 3 2025-05-22 23:00:18 PDT
Thanks for reporting this issue. Since https://tc39.es/ecma262/#sec-enumerate-object-properties says "The mechanics and order of enumerating the properties is not specified ...". So, the patch fixes duplicate property enumeration.
EWS
Comment 4 2025-05-23 10:23:44 PDT
Committed 295350@main (0a1e72158c24): <https://commits.webkit.org/295350@main> Reviewed commits have been landed. Closing PR #45818 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.